> Do you also audit / control web browsers the clients are using?

Certain places do, actually. That's why lots of enterprise software was stuck having to support IE just a few years back (and probably still in some places that haven't caught up).

I've seen demands towards certain features working on Edge/Chrome in particular even if it would break something in Firefox, which might be preference of the end users but also corporate policy towards using known software in certain places.

I'm sure that you're still likely to run into plenty of environments where something like Edge might be the only allowed browser.

>lots of enterprise software was stuck having to support IE just a few years back

Yep, and talking about Jira, they only ended that support in March 2020.

And wow, according to Wikipedia, Microsoft still supports Internet Explorer on some non-consumer Windows flavors. Today. I find that actually pretty stunning, must be a huge liability to be running web-apps that breaks on non-IE, because that can't then be the only aspect at which it's still stuck in the stone ages.

They will have a leg up there because the on machines this LTSC version of Windows is made for, you shouldn’t be browsing the web much in the first place - intended applications are ‘ medical systems (such as those used for MRI and CAT scans), industrial process controllers, and air traffic control devices’

Let's say there's a higher chance that you'll be able to sign a contract with Google or Microsoft that allows you to sue the $$$ out of them if something happens, than hoping to get anything from ankitpokhrel on GitHub whose bio says "I have no idea what I do".

(Nothing against ankitpokhrel and this great tool, just making a point in a slightly sarcastic way)

It's open source. If you want to use the functionality but don't trust a random internet user named ankitpokhrel, you can literally gut the project, copy-paste the code you understand, get basic functionality to work, and you can be pretty much certain that there is nothing nefarious going on.

I have done that multiple times. It's not very time demanding, because the working code is there, and all you're doing is essentially deleting code you either don't understand, or don't need. At the same time, you're reading the code you do use.

Which the IT guy won’t want to do and will tell you to just use the web interface

And imagine yourself in the IT guys shoes. Some rando expects you to audit something that at most one or two people use and probably contains a hundred vulns which would very likely never be fixed anyways. Why would you bother with such a request

We do that frequently. "I wrote this code" -> audit while I use my code -> "OK/please fix this or that".

I am the customer of our IT, I don't know why it should be any other way. It's noteworthy though that I don't work in a tightly regulated sector.

The premise is that you don't want to audit the source. It's extremely costly and you end up doing it for every update.

I would bet it's easier to do it with a 1 man company, the megacorps are famous for firewalling themselves from liability with very good contract lawyers.

You may also be able to get 3rd party insurance for this.

The 1 man company doesn't have deep enough pockets to actually repay damages and can easily declare bankruptcy.

From my experiences of Jira at scale, yes.

Yes - I can install Chrome and Firefox via a remote install system because the client's laptop is locked down so tight I can't do it any other way.

All software, including open source, technically needs to get approved by a security team.

Not OP, but the company I work for certainly does. They are required to by various business and government contracts.

They only enforce it if you run windows, though.